What is the ISC2 ISSMP (Information Systems Security Management Professional) certification?
The Information Security System Management Professional, or ISSMP, is an advanced certification designed for those in leadership roles in an organization. This includes professionals in the C-suite charged with managing IT and/or cybersecurity.
The International Information System Security Certification Consortium, also known as ISC2, offers the ISSMP to help experienced professionals showcase their knowledge and abilities as they advance their IT careers — not to mention boost their cybersecurity salaries. At the same time, the certification is a valuable tool for organizations that need to verify the skillsets of potential candidates and continue to upskill their internal staff.
So, what’s involved in earning your ISSMP certification? Who is it for? We will answer these questions, list the domains of knowledge it covers and other important details such as exam cost and study resources. This guide equips you with the information you need to make an informed decision on whether an ISSMP certification is right for you at this time.
For a comprehensive overview of certification pathways in cybersecurity, download our free Cybersecurity certifications and skills roadmap.
Earn your CISSP, guaranteed!
What happened to the CISSP-ISSMP?
This certification used to be called the CISSP-ISSMP. The Certified Information Systems Security Professional (CISSP) is a certification designed for those who build, implement and maintain cybersecurity programs. It used to be a prerequisite for earning your CISSP-ISSMP.
However, as of October 23, 2023, the ISC2 removed the CISSP requirement. Even though the CISSP certification is still valid (and very popular), it’s no longer required to earn your ISSMP. That being said, at a high level, the ISSMP still serves a purpose similar to what it did when it was called the CISSP-ISSMP. It verifies the certification holder excels at implementing, presenting and governing organizational information security programs.
Who should earn the ISSMP?
The ISSMP is intended for management roles within an organization that are responsible for establishing, presenting and managing its information security program. This includes those aspiring to, or already in, the roles of chief technology officers (CTO), chief information officers (CIO) or any other management professional overseeing organization information security or IT security.
Whether you’ve recently moved into the managerial ranks or are a mid-career professional drawing up your roadmap (get your free cybersecurity and career ebook), the ISSMP can help you reach the next level.
What are the six domains covered by ISSMP?
The current version of the ISSMP exam consists of the following domains:
- Domain 1: Leadership and Business Management: 20%
- Domain 2: Systems Lifecycle Management: 18%
- Domain 3: Risk management: 19%
- Domain 4: Threat Intelligence and Incident Management: 17%
- Domain 5: Contingency Management: 15%
- Domain 6: Law, Ethics and Security Compliance Management: 11%
Now, let’s take a deeper look at the domains themselves or review the ISSMP exam outline for even more details.
Domain 1: Leadership and Business Management: 20%
Described as being the broadest of all the domains, domain 1.0 focuses on the high-level requirements that must be fulfilled for the overarching organizational information security program to be successful. This domain will test the following subdomains:
- Establish security’s role in organizational culture, vision and mission
- Align security program with organizational governance
- Define and implement information security strategies
- Define and maintain security policy frameworks
- Manage security requirements in contracts and agreements
- Oversee security awareness and training programs
- Define, measure and report security metrics
- Prepare, obtain and administer security budgets
- Manage security programs
- Apply product development and project management principles
Domain 2: Systems Lifecycle Management: 18%
This domain had a minor reduction in weight from 19% to 18% in the most recent update. Several versions ago, the domain used to be called Security Lifecycle Management, but it was changed to highlight systems and security is baked into the various subdomains below:
- Manage integration of security into system development lifecycles (SDLC)
- Integrate new business initiatives and emerging technologies into the security architecture
- Define and oversee comprehensive vulnerability management programs
- Manage security aspects of change control
Domain 3: Risk Management: 19%
Risk management saw a slight shift in weight from 18% to 19% in the most recent exam update. It has only three subdomains, but they are crucial to effective cybersecurity management:
- Develop and manage a risk management program
- Conduct risk assessments (RA)
- Manage security risks within the supply chain
Domain 4: Threat Intelligence and Incident Management: 17%
This did not have its weight change. Sole one. domain is new and comprehensively covers what an organizational management professional needs to know for both threat intelligence and incident management. It covers the following:
- Establish and maintain threat intelligence programs
- Establish and maintain incident handling and investigation programs
Domain 5: Contingency Management: 15%
Contingency management tests:
- Oversee development of contingency plans (CP)
- Guide development of recovery strategies
- Maintain business continuity plan (BCP), continuity of operations plan (COOP) and disaster recovery plan (DRP)
- Manage recovery process
Domain 6: Law, Ethics and Security Compliance Management: 11%
This domain will test mastery over:
- Understand the impact of laws that relate to information security
- Understand management issues as related to the ISC2 code of ethics
- Validate compliance in accordance with applicable laws, regulations and industry best practices
- Coordinate with auditors and assist with the internal and external audit process
- Document and manage compliance exceptions
Other ISSMP exam information
- Exam length — 3 hours
- Number of questions — 125
- Exam format — multiple-choice questions
- Passing score — 700 out of 1000
- Exam cost — $599 USD
- Exam location — Pearson Testing Center
If a certification candidate does not pass the exam on their first attempt, the candidate is required to wait 30 days before retaking the exam. After not passing for the second time, the candidate will need to wait 60 days, and every failed attempt after that requires a 90-day waiting period before retesting. You may only attempt the exam four times in a twelve-month period.
ISSMP study resources
Enrolling in a ISSMP Boot Camp is one of the most effective ways to prepare for your ISSMP exam. With Infosec’s boot camp, you get four days of focused training covering the exam’s domains and practical knowledge required to attain mastery as an IT or cybersecurity manager.
You can also get the help of study resources, and there are a few that many have found helpful on their way to a passing score:
- ISSC2’s self-study resources, which they make available on their website
- Official CISSP-ISSMP Flash Cards, available here
- Forums like Reddit and TechExams, as well as YouTube and podcasts can also be a great resource for learning more about the ISSMP
Earn your CISSP, guaranteed!
Should you earn your ISSMP?
By earning your ISSMP certification, you differentiate yourself from the competition, especially in high-level IT managerial roles like CIO and CTO. It verifies the knowledge necessary for implementing, presenting and managing an organization’s information security program. In addition to joining an elite group of certification holders, certification holders may earn significantly more money.
If you’re currently involved in information security management, you may want to consider this certification to accelerate your career and maximize your earnings. To learn more about how to prepare for the ISSMP — and other certifications — check out our ISSMP Boot Camp or boot camp catalog.
In this Series
- What is the ISC2 ISSMP (Information Systems Security Management Professional) certification?
- CISSP domains overview: Your complete preparation guide
- What is the ISC2 ISSEP (Information Systems Security Engineering Professional) certification?
- What is the ISC2 ISSAP (Information Systems Security Architecture Professional) certification?
- CISSP experience waiver: What you need to know
- CISSP concentrations: How ISSAP, ISSMP & ISSEP have changed
- Mitigating access control attacks in the CISSP exam
- CISSP DoD 8140: What changed from DoD 8570?
- CISSP jobs in 2025: Cybersecurity manager outlook and career opportunities
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring
- CISSP interview prep: 10 common questions and answers
- CISSP resources: Free books, videos, practice exams and other study tools
- CISSP certification cost and requirements (2025): Your complete preparation guide
- Perimeter defenses: What you need to know for the CISSP exam
- Understanding control frameworks and the CISSP
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- Due care vs. due diligence: What you need to know for the CISSP exam
- The ISC2 code of ethics: A binding requirement for certification
- Security governance principles: What you need to know for the CISSP exam
- Understanding access control: A CISSP certification guide
- Renewal requirements for the CISSP certification
- Secure communication channels: What you need to know for the CISSP exam
- Risk management concepts and the CISSP
- CISSP: Business continuity planning and exercises
- Data and system ownership in the CISSP exam
- Information and asset classification in the CISSP exam
- Incident management and the CISSP exam: What you need to know
- CISSP prep: Security policies, standards, procedures and guidelines
- Earning CPE credits to maintain the CISSP
- Data security controls and the CISSP exam
- CISSP: Disaster recovery processes and plans
- Vulnerability and patch management in the CISSP exam
- Secure system design principles: CISSP exam concepts and frameworks
- Certification and accreditation: What’s on the CISSP exam?
- Change management and the CISSP
- Threat modeling and the CISSP
- CISSP exam questions: 5 drag & drop and hotspot questions
- CISSP certification salary: A comprehensive 2025 salary guide
- 8 tips for CISSP exam success in 2025
- Environmental controls and the CISSP
